5 minutes Payment Partner Specifics
Overview
Payment partners (PSPs, payfacs, acquirers) can share merchant payment data with SAPI to streamline underwriting. This guide explains what data is shared, security measures, merchant consent requirements, and data protection compliance.
Why Share Payment Data?
Benefits:
- Faster merchant approvals (no need for Open Banking connection)
- Higher approval rates (more complete data picture)
- Better merchant experience (fewer steps, less friction)
- Automated eligibility assessment (identify qualifying merchants proactively)
What Data is Shared
Transaction Data
Aggregate metrics:
- Daily/weekly/monthly card sales volumes
- Transaction counts
- Average ticket size
- Refund and chargeback rates
- Payment trends (growing, stable, declining)
Temporal data:
- Processing history length (how long merchant has been with you)
- Seasonality patterns
- Recent performance vs. historical
Merchant Business Data
Basic information:
- Merchant legal name
- Business registration number
- Trading name
- Industry/MCC code
- Business address
- Account status with you (active, suspended, closed)
What is NOT Shared
SAPI never receives:
- End customer personal data (cardholder names, emails, card numbers, addresses)
- Individual transaction details (who bought what)
- Your proprietary business information (your rates, margins, internal notes)
- Other merchants' data (only merchants being referred/assessed)
Security and Encryption
Data Transmission
All data encrypted:
- TLS 1.3 encryption in transit
- API authentication (for partners with data feeds)
- Secure file transfer protocols (SFTP/HTTPS for batch uploads)
Data Storage
SAPI's security:
- UK-based servers only
- Encrypted at rest
- Access controls (only authorized underwriting staff)
- Regular security audits
- SOC 2 Type II compliance
Data Retention
How long SAPI keeps data:
- Active merchant referrals: Duration of assessment + 6 months
- Funded merchants: 6-7 years post-repayment (regulatory requirement)
- Declined referrals: 12 months, then securely deleted
Merchant Consent Requirements
GDPR compliance:
Consent Language (Required)
Include in your merchant agreements or terms:
"By accepting financing from SAPI (introduced by [Your Company]), you consent to us sharing your payment processing data with SAPI Group Limited and SAPI Origination Limited for the purposes of assessing and servicing your financing application. This includes transaction volumes, processing history, and business information. SAPI will process your data in accordance with their Privacy Policy available at [SAPI privacy policy URL]."
When Consent is Obtained:
Before referral:
Merchant must consent before you share data with SAPI.
How:
- Checkbox on application form
- Clause in merchant terms of service
- Signed data sharing consent form
Record:
Keep consent records for 6 years (GDPR requirement).
Data Processing Agreement
Required: SAPI and payment partners sign a Data Processing Agreement (DPA).
DPA covers:
- What data is shared and why
- Security measures
- Data retention periods
- Breach notification procedures (24-hour notice requirement)
- Sub-processor disclosure
- Audit rights
- Data deletion upon termination
Signed during onboarding as part of partnership agreement or separate document.
Data Sharing Methods
Method 1: Batch File Upload (Most Common)
Process:
1. Generate daily/weekly CSV or JSON file with merchant data
2. Upload to SAPI's secure SFTP server or HTTPS endpoint
3. SAPI imports and processes data
File format:
CSV or JSON with agreed schema (provided during onboarding).
Frequency:
Daily (for active partnerships) or weekly.
Method 2: Manual Referral with Data
Process:
1. Export specific merchant's data
2. Email to [email protected] with referral
3. Attach payment processing summary (PDF or CSV)
Best for:
Low-volume partners or one-off referrals.
Method 3: Future - Real-Time Data Feed
In development:
API-based real-time data sharing for instant eligibility checks and automated referrals.
Contact [email protected] if interested in future API data sharing capabilities.
Data Breach Procedures
If your systems are breached and merchant data may be compromised:
Immediate actions:
1. Contain the breach
2. Notify SAPI within 24 hours: [email protected] and [email protected] with subject "URGENT: DATA BREACH"
3. Provide: What data may be affected, how many merchants, timeframe, whether SAPI data is involved
SAPI will:
- Assess impact on referred/funded merchants
- Coordinate with you on customer notifications (if required under GDPR)
- Implement additional security measures if needed
- Report to ICO if legally required
Frequently Asked Questions
Q: Do merchants know we're sharing their data with SAPI?
A: Yes, they must provide consent. Include clear data sharing disclosure in your merchant agreements.
Q: Can we share data for all our merchants, or only those we're referring?
A: Only share data for merchants you're actively referring or assessing for referral. Don't bulk-share your entire merchant database without specific need.
Q: What if a merchant revokes consent—how do we tell SAPI?
A: Email [email protected] immediately with merchant name and request to delete their data. SAPI will confirm deletion within 5 business days.
Q: Can SAPI use shared payment data for marketing to merchants?
A: No. Data is used only for assessing and servicing financing applications. SAPI won't market to merchants without explicit consent.
Q: What if we terminate the partnership—what happens to shared data?
A: For declined/non-funded merchants: Data deleted within 90 days. For funded merchants: Retained for duration of their advance + 6-7 years (regulatory requirement).
Need Help?
Data sharing setup: [email protected]
Data security questions: [email protected]
GDPR/privacy concerns: [email protected]
Need Help?
Email: [email protected]
Phone: +44 20 3868 4990
Business Hours: Monday-Friday, 9am-5pm GMT